Article

SAP System Security for the Intranet and Internet

To protect SAP systems
and applications from misuse and attack, a
number of powerful security functions are included
in the standard product delivery (see Figure
1). These security
functions must be deployed in combination with
appropriate measures for the network infrastructure,
operating systems, and database installations.
The ultimate goal is to leave no vulnerabilities
in any of these layers, because even a single
security hole could be enough for an intruder
to sneak in and do damage.

Figure 1

System Layers and Security Services

Secure Communications

A well-designed network features different protection zones and only
a very few well-known and protected transitions between these zones (see
Figure 2). To get from one zone to another, communication traffic
has to pass through a firewall system. Nowadays, everybody expects a firewall
between a company's intranet and the public Internet. Fewer people recognize
the value of firewalls inside the corporate network, separating mission-critical
SAP applications and database servers from the hundreds and thousands
of PCs and user workstations in the client network.

Figure 2

Network Protection Zones

How sure are you about the intentions of
your internal users, and the nature and modification status of the software
installed on their PCs? Just as you set up "Demilitarized Zones" (DMZs)
at the border between the Internet and your intranet, and place Web servers
and proxies between an external and an internal firewall, inside your
corporate network you need well-configured network routers, address and
port filters, and so on. A secure network can also be complemented nicely
by VPNs (Virtual Private Networks) extending your extranet to customers
and partners.

With such a network setup, there are only
a few doors left vulnerable to penetration by intruders. Your firewalls
do have these doors (otherwise you couldn't go in yourself), so you must
put guards in place. These guards include strong authentication and access
control, as well as encrypted communications.

All commercial Web servers, and the SAP
product components they host today, support the Internet standard protocol
Secure Sockets Layer (SSL) and can run HTTP over SSL (called HTTPS). With
HTTPS, you ensure that clients and servers can be authenticated to one
another via strong cryptography, and that they exchange strong encryption
key information to protect all their communications from eavesdropping
and message tampering. For the classical SAP communication protocols (DIAG,
RFC), the same level of protection is achieved using SAP's Secure Network
Communications (SNC) option and the SAProuter software as an application-level
gateway.

User Management

An important prerequisite for the security of an information processing
system is to know who is using it. Therefore, each SAP system includes
a user management service. For each user of the system, a user master
record is created, which contains the required data about the user's identity,
status, authentication, and authorization information.

SAP user management can be done centrally
from one system for the whole SAP system landscape, and can also be integrated
with Directory Services using the Lightweight Directory Access Protocol
(LDAP). In the future, SAP will lay increasing emphasis on managing user
and authorization data via LDAP and Directories.

TIP: For a comprehensive discussion on securing the multiple
layers of an SAP infrastructure, refer to the article, "Is It Time
To Revisit Your SAP Security Infrastructure?" in the September/ October
2000 issue of the SAP Professional Journal.

Authentication and Single Sign-On

To authenticate users when they access SAP applications, several mechanisms
are supported (depending on security requirements and the SAP product
release used). Everybody understands the concept of passwords, along with
their advantages (easy to use, remember, and carry around) and drawbacks
(weak passwords can be guessed, you may need several to access different
systems, and the danger of wiretapping).

With SAP's SNC option, you can switch off
passwords and achieve Single Sign-On from a separate security infrastructure
deployed in your company. This can be your Windows NT or Windows 2000
network, or other security infrastructures as provided by SAP partner
products. It is also possible to equip your users with digital certificates
according to the X.509 standard and use them for SAP logon (with or without
smartcards).

With HTTPS and SSL client authentication,
digital certificates can be used for logon to SAP systems from a standard
Web browser over the SAP Internet Transaction Server (ITS). A painless
certificate enrollment procedure is provided with mySAP Workplace using
the SAP Trust Center Service.

To allow even more options for flexible
and secure user authentication and Single Sign-On, SAP recently introduced
the SAP Logon Ticket mechanism. Using Pluggable Authentication Services
(PAS), customers can install their favorite authentication service (for
example, NT logon, LDAP logon, RADIUS, etc.) on the ITS and use it for
the initial authentication to the first SAP application, such as the mySAP
Workplace enterprise portal shown in Figure 3.

Upon successful authentication, an SAP
Logon Ticket, which is valid for a limited period of time (typically a
few hours), is created for the user and stored in the browser's main memory.
This ticket is then used to access other SAP and non-SAP applications
without additional user intervention.

Figure 3

mySAP Workplace Single Sign-On

Authorization

Each service and application accessed by a user in an SAP system is controlled
by the SAP Authorization Concept. Users are assigned roles, which are
defined by the application developers and managed by system administrators.
The roles contain lists of services and objects that can be accessed by
role owners. Sophisticated tool support (SAP Profile Generator) is available
to generate the technical authorization objects and profiles required
for good performance at runtime from the abstract role definitions.

With mySAP Workplace, SAP is currently
extending and generalizing its role concept into the world of non-SAP
applications as well. Ultimately, mySAP Workplace provides a central tool
for managing user authorizations in the application landscape of the enterprise.

Integrity, Confidentiality, and Non-Repudiation

With the SAP Transaction and Authorization Concept it is not easy for
an attacker to read or manipulate data, or access services without permission.
To achieve an even higher level of security, as required, for example,
in the course of high-volume business transactions, some SAP applications
are using digital signatures and document encryption as provided over
SAP's Secure Store and Forward (SSF) functionality. With SSF, users' digital
certificate and private key information is used to create unforgeable
cryptographic seals under certain data (digital signatures), or encrypt
documents so that they can only be decrypted by the intended recipients.
This functionality requires SAP applications to work with an existing
Public-Key Infrastructure (PKI), which is achieved via SSF.

Auditing and Logging

Think no one will detect your unauthorized actions in an SAP system?
Behind all business transaction processing, the Security Audit Log (SAL)
is active to record security-relevant actions in log files. These log
files provide the necessary data for security administrators and auditors
to verify the health of your SAP system and analyze activities in the
event of security incidents or hacking attempts.

Dr. Jurgen Schneider has been involved in the design and implementation
of SAP security functions since 1996. Since 1998, he has been the Development
Manager for Security in SAP's Technology Development. He can be reached
at j.schneider@sap.com.